Hardware Wallets vs Air-gapped Old Laptop: Is the supply chain risk real?

[dkbit98]

Am I being too paranoid? Is a hardware wallet really safer than a properly set up air-gapped machine, or are we just paying for convenience?

Yes it is, especially for newbies or people without a tech background.
There is much bigger risk in messing something with alleged airgapped laptop compared to good open source hardware wallet.
I am not saying using laptop for cold storage is bad by default, but it's not suitable for average bitcoin user who don't understand how everything works.
For most people it would probably be easier to use old smartphone instead of laptop, something like pixel phone with grapheneOS.

[bakasabo]

Dont forget, that with every wallet update you risk not being able to install it on old laptop. That means being less secured. Dont forget, that is something goes down in old laptop, hard drive, wifi network adaptor, it will take when you will find replacement part if even find it at all. I would not go with old laptop. You will be less mobile than with tiny hardware wallet.

[philipma1957]

I have been reading a lot about cold storage lately. The standard advice everywhere is "just buy a hardware wallet" (Trezor, Ledger, Coldcard, etc).
​
However, coming from a background of digital privacy, I have a concern that I can't shake off: Supply Chain Attacks.
​If I order a device, it travels through many hands before it reaches my mailbox. Even if the packaging looks perfect, how can I be 100% sure the firmware or the chip wasn't tampered with?
​Currently, I am using an old laptop with the Wi-Fi card physically removed, booting Tails OS from a USB stick. It feels safer to me because:
​1. I downloaded the OS myself and verified the PGP signature.
​2. The hardware is generic old trash, not a target for crypto-thieves.
​3. It never touches the internet.
​
Am I being too paranoid? Is a hardware wallet really safer than a properly set up air-gapped machine, or are we just paying for convenience?

Why use a USB stick to boot.



If you use Linux on a 2tb ssd as boot and as the core operator. And make 2 clones of the drive on hdds you should be fine.

Obviously encrypt the drives
Obviously encrypt the core bitcoin program

[sokani]

Also I ordered keystone wallet because it's very sensitive to malicious attempts.

Before you do anything on the wallet you need to verify it with the platform itself, this hardware wallet security level is insane, they will verify for you if that wallet is not already been tempered with, I wish I took the screenshot when I was going through the process.

It's the same with Trevor's wallet. I guess it is industry standard, or one manufacturer copied the other. During setup, after connecting the hardware device to Trezor Suite, it will check if the device is authentic before you will be allowed to download the firmware. Also, another security measure Trezor put in place is that, the USD port is sealed up and there's a warning on it that you shouldn't use it if the seal has been broken.

[God Of Thunder]

Sometimes I feel stupid seeing how security-conscious you guys are. I wasn't that concerned, probably because I never had enough money to keep that in a safe wallet. I used to receive my pay and send it directly to the exchange, where I would sell it for local currency. I started with centralized exchanges, using them regularly before I realized that they don't give me complete control over my wallet.

I got a hardware wallet, and I think I received it at the perfect time. Even after receiving the hardware wallet, I didn't use it for the next six months. I started using it lately to keep my Bitcoin and the escrowed funds safely.

[SeriouslyGiveaway]

Sometimes I feel stupid seeing how security-conscious you guys are. I wasn't that concerned, probably because I never had enough money to keep that in a safe wallet. I used to receive my pay and send it directly to the exchange, where I would sell it for local currency. I started with centralized exchanges, using them regularly before I realized that they don't give me complete control over my wallet.

Centralized exchanges have risk but with newbies, I believe before they master how to use non-custodial wallets, from security of their devices, how to download, install wallet softwares, how to create a wallet, make wallet backups, how to use backups for recovery, and others they simply can use centralized exchanges and accounts there for storing their funds.

It's safer for newbies but they must learn about non-custodial wallets, practice with testnet coins for mastering these steps and move their funds from centralized exchanges, custodial wallets to non-custodial wallets as soon as possible.

This reminder is always true but before newbies learn and master steps to do everything by themselves, as said, centralized exchanges are safer places for them.
Reminder: do not keep your money in online accounts.

[God Of Thunder]

Centralized exchanges have risk but with newbies, I believe before they master how to use non-custodial wallets, from security of their devices, how to download, install wallet softwares, how to create a wallet, make wallet backups, how to use backups for recovery, and others they simply can use centralized exchanges and accounts there for storing their funds.

It's safer for newbies but they must learn about non-custodial wallets, practice with testnet coins for mastering these steps and move their funds from centralized exchanges, custodial wallets to non-custodial wallets as soon as possible.

Yeah, I think I will have to agree with you. It was easy for me to create an account using my email address as a newbie, although I may not have fully understood the importance of the seed phrase at the time. There is a possibility for newbies not to keep their seed phrases in safe places, since they are already logged in on their wallet. I have learned almost everything from this forum about the non-custodial wallets and what is the difference between the wallet and exchanges. I agree that exchanges are easy to use for the newbies, but they should go for a no KYC centralized exchanges.

[philipma1957]

Centralized exchanges have risk but with newbies, I believe before they master how to use non-custodial wallets, from security of their devices, how to download, install wallet softwares, how to create a wallet, make wallet backups, how to use backups for recovery, and others they simply can use centralized exchanges and accounts there for storing their funds.

It's safer for newbies but they must learn about non-custodial wallets, practice with testnet coins for mastering these steps and move their funds from centralized exchanges, custodial wallets to non-custodial wallets as soon as possible.

Yeah, I think I will have to agree with you. It was easy for me to create an account using my email address as a newbie, although I may not have fully understood the importance of the seed phrase at the time. There is a possibility for newbies not to keep their seed phrases in safe places, since they are already logged in on their wallet. I have learned almost everything from this forum about the non-custodial wallets and what is the difference between the wallet and exchanges. I agree that exchanges are easy to use for the newbies, but they should go for a no KYC centralized exchanges.

If you want a no kyc exchange you really need to understand you countries tax laws

[X-ray]

​
Am I being too paranoid? Is a hardware wallet really safer than a properly set up air-gapped machine, or are we just paying for convenience?

You can't be too paranoid when it comes to storing your money but to be fair using old hardware is also risky, who knows if there is an exploit right there.

Supply chain attack is real concern but as long as you buy it from the hardware wallet manufacturer directly I think you're fine. There are also some security measures to make you sure you received the real thing such as seals, etc.

Honestly I'd be more concerned about the software supply chain attack from open source library that got hijacked much more than hardware compromise. It's the real attack where people have lost millions.

[CryptoVoyager24]

@x-ray
​>Honestly I'd be more concerned about the software supply chain attack from open source library that got hijacked

​That is a terrifying point, and you are 100% right. "Open Source" doesn't automatically mean "Audited".
​However, that is exactly why I try to keep the software stack as minimal as possible (basic Electrum on Tails). The more complex the wallet software (and the more fancy UI libraries it pulls in), the wider the attack surface.
​I guess there is no silver bullet, we just choose which risk we are more comfortable with: hardware blindness or software complexity.

[God Of Thunder]

If you want a no kyc exchange you really need to understand you countries tax laws

Fortunately, Bitcoin and all other cryptocurrencies are banned in my country. Exchanges aren't monitored here. The exchanges never transfer their data to the government, and the government doesn't know anything about my crypto holdings. Even if they know, they don't bother for a tiny amount of money. If it's a few hundred thousands dollars, then probably some corrupted Police officers would try to steal the crypto instead of seizing it for the government. Since it is banned, we can forget about the tax on our crypto earnings.

[Lucius]

Centralized exchanges have risk but with newbies, I believe before they master how to use non-custodial wallets, from security of their devices, how to download, install wallet softwares, how to create a wallet, make wallet backups, how to use backups for recovery, and others they simply can use centralized exchanges and accounts there for storing their funds.
~snip~

I agree with you to some extent, but in my opinion it would be much more logical for every beginner to first try to learn how to use non-custodial wallets and what "not your keys, not your coins" actually means. Only then could they start investing and using CEXs (if there is no other choice) and not use them for storage.

What you advise is fine in principle, but only if the habit is not created that CEXs are some kind of crypto banks where it is safer to store cryptocurrencies than in non-custodial wallets. The liquidity of the largest CEXs, on the other hand, tells us that there are still too many coins stored there within the reach of hackers or malicious employees.

[tabas]

If someone is paranoid about buying a hardware wallet on a local store, just check their official website and see if they have an official reseller in your area. That's one way of checking if the store you're buying is really associated and partnered from the actual manufacturer. It is less hassle and headache if the store near you is affiliated with the chosen hardware wallet. And one red flag that usually the buyers get from unofficial ones is that their hardware wallets are pre-seeded or pre-generated with seed phrases.

[Cookdata]

If someone is paranoid about buying a hardware wallet on a local store, just check their official website and see if they have an official reseller in your area. That's one way of checking if the store you're buying is really associated and partnered from the actual manufacturer. It is less hassle and headache if the store near you is affiliated with the chosen hardware wallet. And one red flag that usually the buyers get from unofficial ones is that their hardware wallets are pre-seeded or pre-generated with seed phrases.

The challenge of official shop is they run out of store quickly. Trezor safe 7 for example has been out of stock for more than 2 months and now any official announcement about restock. I think this is done to have a review about the product before they mass produced more safe 7 hard wallet in masses. I also feel resselers are the reason why this wallet finished on time, they buy everything at once with intention of reselling at high value. If you check Amazon for Trezor safe 7, it's available but it's not available in the Trezor official store.

Here is one; https://www.amazon.com/Trezor-Safe-Touchscreen-Transparent-Quantum-Ready/dp/B0G2LX4TFC

With this batch sales, there should be reviews and problems encountered, it's these reviews they follow to make adjustments for another batch production.

If you're unable to buy hardware wallet from official store and it's not like they stopped production of that version, don't buy from other shops. Wait for another batch sales.